RE: change NT passwords Kerberos

From: Robert Tillman <Robert.Tillman(at)veritas.com>
Date: Thu Jul 31 2003 - 13:32:38 EDT

It may be because your Linux system doesn't have creds and is not a principal in the M$ AD with kerberos implementation, Such as it is.

I hope the following helps.

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechn ol/windows2000serv/deploy/kerberos.asp

-----Original Message-----
From: bryantac67@yahoo.com [mailto:bryantac67@yahoo.com] Sent: Wednesday, July 30, 2003 2:12 PM
To: focus-ms@securityfocus.com
Subject: change NT passwords Kerberos

Hi,

I am using Kerberos to authenticate against our AD (it has Kerberos setup on it). I am able login fine and everything, but I cannot change my password. This is the error I get:

Jul 29 11:11:19 passwd[7437]: (pam_krb5) pam_sm_authenticate: krb5_get_init_creds_password: KDC can't fulfill requested option
Jul 29 11:11:19 passwd[7437]: (pam_krb5) pam_krb5_get_authtok: Authentication failure Jul 29 11:11:19 passwd[7437]: (pam_krb5) pam_sm_chauthtok: pam_krb5_get_authtok returns Authentication failure
Jul 29 11:11:19 passwd[7437]: (pam_krb5) pam_sm_chauthtok: result for user `xxxx': Authentication failure
Jul 29 11:11:19 passwd[7437]: User xxxx: Authentication failure

I looked around a little, and I read that the ticket need to be forwardable and renewable. I tried adding these options to my pam, but it made no difference. I don't know what version of Kerberos is installed on our AD, but the clients are running Heimdal. Is there anything I need to do to fix this problem?? There is a patch for Heimdal - MIT interoperability, and I've installed it, but still no success. Any ideas??? Any help is much appreciated.

Thanks,
Aaron

---

Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

Received on Fri Aug 1 10:50:20 2003